ci: Skip test suite when no code files changed #5889

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft

stephanie-anderson wants to merge 5 commits into master from chore/skip-tests-with-code-unchanged

Draft

ci: Skip test suite when no code files changed #5889

ci: Also skip tests on push when no code files changed

@sentry/warden / warden: find-bugs completed Mar 26, 2026 in 10m 7s

2 issues

find-bugs: Found 2 issues (1 high, 1 medium)

High

Tests on protected branches not always running as documented - `.github/workflows/test-integrations-ai-workflow.yml:51`

The PR description states 'Pushes to master/release//major/ branches always run the full suite', but the implementation does not include this behavior. The changes job unconditionally runs dorny/paths-filter for all events, including push events on protected branches. For push events, the filter compares against the previous commit, so if a push to master only modifies documentation files, tests will be skipped. This violates the stated requirement and could allow untested code to reach production branches.

Also found at:

.github/workflows/test-integrations-ai.yml:51
.github/workflows/test-integrations-graphql.yml:51
.github/workflows/test-integrations-misc.yml:51
.github/workflows/test-integrations-tasks.yml:51
.github/workflows/test-integrations-web-2.yml:51
scripts/split_tox_gh_actions/templates/base.jinja:36-56
.github/workflows/ci.yml:44-45
.github/workflows/test-integrations-common.yml:51
.github/workflows/test-integrations-flags.yml:51
.github/workflows/test-integrations-gevent.yml:51
.github/workflows/test-integrations-network.yml:51
.github/workflows/test-integrations-web-1.yml:51
scripts/split_tox_gh_actions/templates/test_group.jinja:3

Medium

Gate job does not handle 'cancelled' status for changes job, potentially allowing bypass - `.github/workflows/test-integrations-graphql.yml:122-124`

The check_required_tests gate job checks for needs.changes.result == 'failure' but not 'cancelled'. In GitHub Actions, job results can be success, failure, cancelled, or skipped. If the changes job is cancelled (e.g., due to infrastructure issues or edge cases), the gate condition needs.changes.result == 'failure' would be false, and since test-graphql would be skipped (its dependency didn't complete successfully), the second condition also evaluates to false. This allows the gate to pass without tests running.

Duration: 10m · Tokens: 4.4M in / 69.9k out · Cost: $6.84 (+extraction: $0.02, +merge: $0.01, +fix_gate: $0.00)

Annotations

Check failure on line 51 in .github/workflows/test-integrations-ai-workflow.yml

sentry-warden / warden: find-bugs

Tests on protected branches not always running as documented

The PR description states 'Pushes to master/release/**/major/** branches always run the full suite', but the implementation does not include this behavior. The `changes` job unconditionally runs `dorny/paths-filter` for all events, including push events on protected branches. For push events, the filter compares against the previous commit, so if a push to `master` only modifies documentation files, tests will be skipped. This violates the stated requirement and could allow untested code to reach production branches.

Check failure on line 51 in .github/workflows/test-integrations-ai.yml